Dragos: Putting Operational Technology Risks in Perspective

As modern industry becomes increasingly connected, the cyber physical systems running critical tasks – often left unsecured – emerge as the unsuspecting entry point for bad actors looking for an easy way to break in.

These systems, which are essential parts of our critical infrastructure – operates across energy, manufacturing, transport and utilities – face a rising mix of cyber threats, supply chain vulnerabilities and operational disruptions that can prove catastrophic if attacked or taken offline at scale. 

From sophisticated ransomware attacks targeting industrial environments to well-coordinated nation-state activity inside OT networks, the stakes for operational resilience have never been higher.

Regardless of these high stakes, many organisations struggle with visibility across legacy infrastructure, fragmented security architectures and the growing complexity of interconnected supply chains.

In this Q&A with Cyber Magazine, Magpie Graham, VP of Strategic Intelligence at Dragos dissects the evolving OT threat landscape and the operational risks shaping industrial cybersecurity in 2026.

What was the most consequential finding of the 2026 Dragos OT/ICS Cybersecurity Report?

How far adversaries have progressed inside OT networks. We designated three new threat groups this year and for the first time, two of the three are what we call Stage 2 adversaries – groups already operating inside OT networks with the capability to interact with specific industrial control technologies.

In previous years, we saw more early-stage activity or groups that had developed tooling but hadn't deployed it in the wild.

In 2026, that has now changed. These adversaries have moved beyond the IT-OT boundary – they are now inside operational environments, probing networks, mapping processes and understanding how industrial systems communicate.

This greater willingness to go deeper – across state-sponsored, activist and criminal adversaries alike – is the most consequential shift.

Which emerging threat groups should the industrial sector be most worried about?

We designated three new threat groups in 2025 and a primary concern is how they operate in concert.

SYLVANITE is an access broker, exploiting internet-facing systems before patches are applied and then enabling more capable groups. We observed this handoff during an incident response at a US utility.

AZURITE has been active since 2021, exfiltrating operational data and alarm configurations from energy, manufacturing and defence organisations across the US, Europe and Asia-Pacific.

PYROXENE targets supply chains and has deployed destructive malware, including during the recent Iran-Israel conflict.

An ecosystem is emerging in which specialised groups feed access and intelligence to more capable ones – each playing a defined role on the path to operational disruption.

Are energy and transport systems prepared for coordinated cyberattacks?

In our research for our Year in Review report, we found that 88% of our tabletop exercises in 2025 revealed degraded detection capabilities. 81% of architecture reviews showed poor segmentation between IT and OT.

Across the last decade, we’ve tracked KAMACITE and ELECTRUM continuing to target energy infrastructure globally. In that time both groups have expanded capabilities and compromised additional utilities.

At the end of December, we were able to track a coordinated attack against Polish energy infrastructure targeting heat, power and renewable energy management systems.

Disruption was prevented but that is not evidence of readiness. We also tracked a threat group spending months scanning internet-exposed US industrial devices across water, energy and manufacturing – an example of deliberate pre-positioning.

The bigger gap is that most organisations test in isolation. They don’t test the day an upstream provider is disrupted, a logistics partner is unreachable, or a chemical supplier goes offline. The exercises that matter test whole dependency chains, not individual perimeters.

Why is ransomware hitting industrial OT systems harder than ever?

In 2025 Dragos tracked 119 ransomware groups targeting industrial organisations, a 49% increase over 2024, impacting 3,300 organisations in total.

Volume isn’t the most important shift – focus is. Affiliates are increasingly targeting the virtualisation infrastructure that OT systems depend on.

When a server hosting critical monitoring or control workloads is encrypted, operators lose visibility without a single piece of industrial equipment being touched. There is also a persistent misclassification problem.

Engineering workstations and operator interfaces running standard software are routinely logged as IT assets, meaning the true scale of OT ransomware incidents is almost certainly being undercounted.

How can organisations boost OT visibility and stop attacks faster?

All organisations across industrial environments need to start with an accurate asset inventory - you cannot defend what you cannot see.

From there, organisations need monitoring that detects anomalous behaviour at the network level, not just known malware signatures. In 2025, 56% of our penetration tests found defenders could not detect adversary activity using common administrative tools.

Average dwell time for OT ransomware was five days in 2025, but overall it sits at 42 days. That figure reflects what happens when monitoring is absent. Continuous monitoring, proper segmentation and regular exercises are the difference between containing an incident and rebuilding from scratch.

How should human error and supply chains factor into OT security?

Both are underestimated in most security programmes. For example, a threat group ran a number of sustained phishing campaigns in 2025, maintaining multi-day conversations with engineering personnel in their native language using industry-specific terminology.

This wasn't just adversaries being generally opportunistic, they were carefully socially engineering and specifically targeting these personnel. At the same time, adversaries are increasingly targeting contractors and managed service providers as entry points into higher-value targets.

Cl0p demonstrated the same logic at scale, exposing operational documents across hundreds of industrial organisations without ever touching an OT network.

Organisations need to treat their entire operational ecosystem as part of the attack surface. It’s why Dragos runs OT-CERT – a free, public-private resource for organisations that don’t have the budget to build their own OT security capability. More than 3,000 organisations use it.

What are the biggest OT risks for the rest of 2026?

The first is internet-exposed OT assets. Adversaries spent months in 2025 scanning US industrial devices across water, energy, and manufacturing sectors. That intelligence will inform future operations.

Second, the ransomware ecosystem is not slowing down. In 2025, 148 engineering firms and 124 industrial equipment vendors were compromised. These are organisations with access to multiple industrial sites, and adversaries understand that leverage.

Finally, most OT environments still lack adequate detection. Until that changes, organisations will keep learning about compromises after the damage is done.